himari 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ac0941b925171e38c0862b97f8a0ad2256c9ac56cfc3d3dd9b59bca1508dc4e
-  data.tar.gz: 37b2fc9399deca00071f07140c53aac84a8deb6169c9cb11f919d34388dae217
+  metadata.gz: d532b382f36d5465772fc09e18feebf0a29db47365e2f5fbd3e83cec7eaa6c4b
+  data.tar.gz: cf9632d941835355bea9cde2435ad6e9993cb278d306e8d5888fc804053cce32
 SHA512:
-  metadata.gz: c0513156a600ffe7a0364ab2c7da45153702afce8c0fd82caf2c6f697529793570f61280abe50316ae5dd491c49908a084fe8d8341ef0a8882a4c5fee5eaf954
-  data.tar.gz: 5b63f0a995ebc2be40440d02831c2bbb40d8928277b3e181ffc0d227546274af0d6fee26f26f4cea9dd90578095b8023c9830973e5d39205273e4a1c7f2633d0
+  metadata.gz: bb564663bea0c6c39cc0a81d4db848f1e7142b9e2d89ddc34d4b2550d99c44dfc6340dddc239d701ac53d53f762519388095a7806b68d29b675215785cbaf90a
+  data.tar.gz: db75ed71b1daef3ae8d3ebbcdf85518c27b9be0fea0a3cc18ca7906271253ac16abc6635c44c5f1b03d3e2a6c3354d02611133e6d71ac4a3e5d6019f756bce47

data/lib/himari/access_token.rb

@@ -1,32 +1,11 @@
-require 'securerandom'
-require 'base64'
-require 'digest/sha2'
-require 'rack/utils'
-
 require 'rack/oauth2'
 require 'openid_connect'
 
+require 'himari/token_string'
+
 module Himari
   class AccessToken
-    class SecretMissing < StandardError; end
-    class SecretIncorrect < StandardError; end
-    class TokenExpired < StandardError; end
-    class InvalidFormat < StandardError; end
-
-    Format = Struct.new(:handler, :secret, keyword_init: true) do
-      HEADER = 'hmat'
-
-      def self.parse(str)
-        parts = str.split('.')
-        raise InvalidFormat unless parts.size == 3
-        raise InvalidFormat unless parts[0] == HEADER
-        new(handler: parts[1], secret: parts[2])
-      end
-
-      def to_s
-        "#{HEADER}.#{handler}.#{secret}"
-      end
-    end
+    include TokenString
 
     class Bearer < Rack::OAuth2::AccessToken::Bearer
       def token_response(options = {})
@@ -36,13 +15,12 @@ module Himari
       end
     end
 
-    def self.make(**kwargs)
-      new(
-        handler: SecureRandom.urlsafe_base64(32),
-        secret: SecureRandom.urlsafe_base64(32),
-        expiry: Time.now.to_i + 3600,
-        **kwargs
-      )
+    def self.magic_header
+      'hmat'
+    end
+
+    def self.default_lifetime
+      3600
     end
 
     # @param authz [Himari::AuthorizationCode]
@@ -50,11 +28,12 @@ module Himari
       make(
         client_id: authz.client_id,
         claims: authz.claims,
+        lifetime: authz.lifetime.access_token,
       )
     end
 
-    def initialize(handler:, client_id:, claims:, expiry:, secret: nil, secret_hash: nil)
-      @handler = handler
+    def initialize(handle:, client_id:, claims:, expiry:, secret: nil, secret_hash: nil)
+      @handle = handle
       @client_id = client_id
       @claims = claims
       @expiry = expiry
@@ -63,32 +42,8 @@ module Himari
       @secret_hash = secret_hash
     end
 
-    attr_reader :handler, :client_id, :claims, :expiry
-
-    def secret
-      raise SecretMissing unless @secret
-      @secret
-    end
-
-    def secret_hash
-      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
-    end
-
-    def verify_secret!(given_secret)
-      dgst = Base64.urlsafe_decode64(secret_hash)
-      given_dgst = Digest::SHA384.digest(given_secret)
-      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
-      @secret = given_secret
-      true
-    end
+    attr_reader :handle, :client_id, :claims, :expiry
 
-    def verify_expiry!(now = Time.now)
-      raise TokenExpired if @expiry <= now.to_i
-    end
-
-    def format
-      Format.new(handler: handler, secret: secret)
-    end
 
     def to_bearer
       Bearer.new(
@@ -99,7 +54,7 @@ module Himari
 
     def as_log
       {
-        handler_dgst: Digest::SHA256.hexdigest(handler),
+        handle: handle,
         client_id: client_id,
         claims: claims,
         expiry: expiry,
@@ -108,7 +63,7 @@ module Himari
 
     def as_json
       {
-        handler: handler,
+        handle: handle,
         secret_hash: secret_hash,
         client_id: client_id,
         claims: claims,

data/lib/himari/app.rb

@@ -6,8 +6,11 @@ require 'himari/version'
 
 require 'himari/log_line'
 
+require 'himari/token_string'
 require 'himari/provider_chain'
+
 require 'himari/authorization_code'
+require 'himari/session_data'
 
 require 'himari/middlewares/client'
 require 'himari/middlewares/config'
@@ -26,14 +29,33 @@ module Himari
   class App < Sinatra::Base
     set :root, File.expand_path(File.join(__dir__, '..', '..'))
 
-    set :protection, use: %i(authenticity_token), except: %i(remote_token)
+    # remote_token: disabled in favor of authenticity_token (more stricter)
+    # json_csrf: can be prevented using x-content-type-options:nosniff
+    set :protection, use: %i(authenticity_token), except: %i(remote_token json_csrf)
+
     set :logging, nil
 
     ProviderCandidate = Struct.new(:name, :button, :action, keyword_init: true)
 
+    class InvalidSessionToken < StandardError; end
+
     helpers do
       def current_user
-        session[:session_data]
+        return @current_user if defined? @current_user
+        given_token = session[:himari_session]
+        return nil unless given_token
+
+        given_parsed_token = Himari::SessionData.parse(given_token)
+
+        token = config.storage.find_session(given_parsed_token.handle)
+        raise InvalidSessionToken, "no session found in storage (possibly expired)" unless token
+        token.verify!(secret: given_parsed_token.secret)
+
+        @current_user = token
+      rescue InvalidSessionToken, Himari::TokenString::Error => e
+        logger&.warn(Himari::LogLine.new('invalid session token given', req: request_as_log, err: e.class.inspect))
+        session.delete(:himari_session)
+        nil
       end
 
       def config
@@ -49,7 +71,15 @@ module Himari
       end
 
       def known_providers
-        query = Addressable::URI.form_encode(back_to: request.fullpath)
+        back_to = if request.query_string.empty?
+          request.path
+        else
+          Addressable::URI.parse(request.fullpath).tap do |u|
+            u.query_values = u.query_values.reject { |k,_v| k == 'prompt' }
+          end.to_s
+        end
+        query = Addressable::URI.form_encode(back_to: back_to)
+
         config.providers.map do |pr|
           name = pr.fetch(:name)
           ProviderCandidate.new(
@@ -109,7 +139,7 @@ module Himari
 
     get '/' do
       content_type :text
-      "Himari\n"
+      "Himari #{release_code}\n"
     end
 
     get '/oidc/authorize' do
@@ -118,15 +148,17 @@ module Himari
         logger&.warn(Himari::LogLine.new('authorize: no client registration found', req: request_as_log, client_id: params[:client_id]))
         next halt 401, 'unknown client' 
       end
+
       if current_user
         # do downstream authz and process oidc request
         decision = Himari::Services::DownstreamAuthorization.from_request(session: current_user, client: client, request: request).perform
-        logger&.info(Himari::LogLine.new('authorize: downstream authorized', req: request_as_log, allowed: decision.authz_result.allowed, result: decision.as_log))
+        logger&.info(Himari::LogLine.new('authorize: downstream authorized', req: request_as_log, session: current_user.as_log, allowed: decision.authz_result.allowed, result: decision.as_log))
         raise unless decision.authz_result.allowed # sanity check
 
         authz = AuthorizationCode.make(
           client_id: decision.client.id,
           claims: decision.claims,
+          lifetime: decision.lifetime,
         )
 
         Himari::Services::OidcAuthorizationEndpoint.new(
@@ -137,11 +169,29 @@ module Himari
         ).call(env)
       else
         logger&.info(Himari::LogLine.new('authorize: prompt login', req: request_as_log, client_id: params[:client_id]))
-        erb config.custom_templates[:login] || :login
+        erb(config.custom_templates[:login] || :login)
       end
+
+    rescue Himari::Services::OidcAuthorizationEndpoint::ReauthenticationRequired
+      logger&.warn(Himari::LogLine.new('authorize: prompt login to reauthenticate (demanded by oidc request)',  req: request_as_log, session: current_user&.as_log, allowed: decision&.authz_result&.allowed, result: decision&.as_log))
+      next erb(config.custom_templates[:login] || :login)
+
     rescue Himari::Services::DownstreamAuthorization::ForbiddenError => e
-      logger&.warn(Himari::LogLine.new('authorize: downstream forbidden', req: request_as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
-      halt 403, "Forbidden"
+      logger&.warn(Himari::LogLine.new('authorize: downstream forbidden', req: request_as_log, session: current_user&.as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
+
+      @notice = message_human = e.result.authz_result&.user_facing_message
+
+      case e.result.authz_result&.suggestion
+      when nil
+        # do nothing
+      when :reauthenticate
+        logger&.warn(Himari::LogLine.new('authorize: prompt login to reauthenticate (suggested by decision)', req: request_as_log, session: current_user&.as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
+        next erb(config.custom_templates[:login] || :login)
+      else
+        raise ArgumentError, "Unknown suggestion value for DownstreamAuthorization denial; #{e.as_log.inspect}"
+      end
+
+      halt(403, "Forbidden#{message_human ? "; #{message_human}" : nil}")
     end
 
     token_ep = proc do
@@ -164,7 +214,8 @@ module Himari
     end
     get '/oidc/userinfo', &userinfo_ep
     get '/public/oidc/userinfo', &userinfo_ep
-
+    post '/oidc/userinfo', &userinfo_ep
+    post '/public/oidc/userinfo', &userinfo_ep
 
     jwks_ep = proc do
       Himari::Services::JwksEndpoint.new(
@@ -182,14 +233,21 @@ module Himari
     end
 
     omniauth_callback = proc do
+      authhash = request.env['omniauth.auth']
+      next halt(400, 'Bad Request') unless authhash
+
       # do upstream auth
       authn = Himari::Services::UpstreamAuthentication.from_request(request).perform
-      logger&.info(Himari::LogLine.new('authentication allowed', req: request_as_log, allowed: authn.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: authn.as_log))
+      logger&.info(Himari::LogLine.new('authentication allowed', req: request_as_log, allowed: authn.authn_result.allowed, uid: authhash[:uid], provider: authhash[:provider], result: authn.as_log, existing_session: current_user&.as_log))
       raise unless authn.authn_result.allowed # sanity check
 
       given_back_to = request.env['omniauth.params']&.fetch('back_to', nil)
       back_to = if given_back_to
-        uri = Addressable::URI.parse(given_back_to)
+        uri = begin
+          Addressable::URI.parse(given_back_to)
+        rescue Addressable::URI::InvalidURIError
+          nil
+        end
         if uri && uri.host.nil? && uri.scheme.nil? && uri.path.start_with?('/')
           given_back_to
         else
@@ -199,11 +257,16 @@ module Himari
       end || '/'
 
       session.destroy
-      session[:session_data] = authn.session_data
+
+      new_session = authn.session_data
+      config.storage.put_session(new_session)
+      session[:himari_session] = new_session.format.to_s
+
       redirect back_to
     rescue Himari::Services::UpstreamAuthentication::UnauthorizedError => e
-      logger&.warn(Himari::LogLine.new('authentication denied', req: request_as_log, err: e.class.inspect, allowed: e.result.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: e.as_log))
-      halt(401, 'Unauthorized')
+      logger&.warn(Himari::LogLine.new('authentication denied', req: request_as_log, err: e.class.inspect, allowed: e.result.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: e.as_log, existing_session: current_user&.as_log))
+      message_human = e.result.authn_result&.user_facing_message
+      halt(401, "Unauthorized#{message_human ? "; #{message_human}" : nil}")
     end
     get '/auth/:provider/callback', &omniauth_callback
     post '/auth/:provider/callback', &omniauth_callback

data/lib/himari/authorization_code.rb

@@ -1,4 +1,5 @@
 require 'digest/sha2'
+require 'himari/lifetime_value'
 
 module Himari
   authz_attrs = %i(
@@ -10,17 +11,38 @@ module Himari
     nonce
     code_challenge
     code_challenge_method
+    created_at
+    lifetime
     expiry
   )
   AuthorizationCode = Struct.new(*authz_attrs, keyword_init: true) do
     def self.make(**kwargs)
       new(
         code: SecureRandom.urlsafe_base64(32),
-        expiry: Time.now.to_i + 900,
+        created_at: Time.now.to_i,
         **kwargs,
       )
     end
 
+    alias _lifetime_raw lifetime
+    private :_lifetime_raw
+    def lifetime
+      case _lifetime_raw
+      when Hash
+        self.lifetime = LifetimeValue.new(**_lifetime_raw)
+      when Integer #compat
+        self.lifetime = LifetimeValue.from_integer(_lifetime_raw)
+      else
+        _lifetime_raw
+      end
+    end
+
+    alias _expiry_raw expiry
+    private :_expiry_raw
+    def expiry
+      self._expiry_raw || (self.expiry = created_at + (lifetime&.code || 900))
+    end
+
     def valid_redirect_uri?(given_uri)
       redirect_uri == given_uri
     end
@@ -59,6 +81,8 @@ module Himari
         claims: claims,
         nonce: nonce,
         openid: openid,
+        created_at: created_at.to_i,
+        lifetime: lifetime.as_log,
         expiry: expiry.to_i,
         pkce: pkce?,
         pkce_method: code_challenge_method,
@@ -76,6 +100,8 @@ module Himari
         nonce: nonce,
         code_challenge: code_challenge,
         code_challenge_method: code_challenge_method,
+        created_at: created_at.to_i,
+        lifetime: lifetime.as_json,
         expiry: expiry.to_i,
       }
     end

data/lib/himari/client_registration.rb

@@ -10,6 +10,7 @@ module Himari
       @redirect_uris = redirect_uris
       @preferred_key_group = preferred_key_group
 
+      raise ArgumentError, "name starts with '_' is reserved" if @name&.start_with?('_')
       raise ArgumentError, "either secret or secret_hash must be present" if !@secret && !@secret_hash
     end
 

data/lib/himari/decisions/authorization.rb

@@ -1,4 +1,5 @@
 require 'himari/decisions/base'
+require 'himari/lifetime_value'
 
 module Himari
   module Decisions
@@ -19,28 +20,38 @@ module Himari
 
       allow_effects(:allow, :deny, :continue, :skip)
 
-      def initialize(claims: {}, allowed_claims: DEFAULT_ALLOWED_CLAIMS, lifetime: 3600 * 12)
+      def initialize(claims: {}, allowed_claims: DEFAULT_ALLOWED_CLAIMS, lifetime: 3600)
         super()
         @claims = claims
         @allowed_claims = allowed_claims
-        @lifetime = lifetime
+        self.lifetime = lifetime
       end
 
-      attr_reader :claims, :allowed_claims, :lifetime
+      attr_reader :claims, :allowed_claims
+      attr_reader :lifetime
+
+      def lifetime=(x)
+        case x
+        when LifetimeValue
+          @lifetime = x
+        else
+          @lifetime = LifetimeValue.from_integer(x)
+        end
+      end
 
       def to_evolve_args
         {
           claims: @claims.dup,
           allowed_claims: @allowed_claims.dup,
-          lifetime: @lifetime&.to_i,
+          lifetime: @lifetime,
         }
       end
 
       def as_log
-        to_h.merge(claims: output, lifetime: @lifetime&.to_i)
+        to_h.merge(claims: output_claims, lifetime: @lifetime.to_h)
       end
 
-      def output
+      def output_claims
         claims.select { |k,_v| allowed_claims.include?(k) }
       end
     end

data/lib/himari/decisions/base.rb

@@ -18,7 +18,7 @@ module Himari
         raise "#{self.class.name}.valid_effects is missing [BUG]" unless self.class.valid_effects
       end
 
-      attr_reader :effect, :effect_comment, :rule_name
+      attr_reader :effect, :effect_comment, :effect_user_facing_message, :effect_suggestion, :rule_name
 
       def to_evolve_args
         raise NotImplementedError
@@ -29,7 +29,10 @@ module Himari
           rule_name: rule_name,
           effect: effect,
           effect_comment: effect_comment,
-        }
+        }.tap do |x|
+          x[:effect_user_facing_message] = effect_user_facing_message if effect_user_facing_message
+          x[:effect_suggestion] = effect_suggestion if effect_suggestion
+        end
       end
 
       def as_log
@@ -46,18 +49,21 @@ module Himari
         self
       end
 
-      def decide!(effect, comment = "")
+      def decide!(effect, comment = "", user_facing_message: nil, suggest: nil)
         raise DecisionAlreadyMade, "decision can only be made once per rule (#{rule_name})" if @effect
         raise InvalidEffect, "this effect is not valid under this rule. Valid effects: #{self.class.valid_effects.inspect} (#{rule_name})" unless self.class.valid_effects.include?(effect)
+        raise InvalidEffect, "only deny effect can have suggestion" if suggest&& effect != :deny
         @effect = effect
         @effect_comment = comment
+        @effect_user_facing_message = user_facing_message
+        @effect_suggestion = suggest
         nil
       end
 
-      def allow!(comment = ""); decide!(:allow, comment); end
-      def continue!(comment = ""); decide!(:continue, comment); end
-      def deny!(comment = ""); decide!(:deny, comment); end
-      def skip!(comment = ""); decide!(:skip, comment); end
+      def allow!(*args, **kwargs); decide!(:allow, *args, **kwargs); end
+      def continue!(*args, **kwargs); decide!(:continue, *args, **kwargs); end
+      def deny!(*args, **kwargs); decide!(:deny, *args, **kwargs); end
+      def skip!(*args, **kwargs); decide!(:skip, *args, **kwargs); end
     end
   end
 end

data/lib/himari/decisions/claims.rb

@@ -13,16 +13,20 @@ module Himari
 
       allow_effects(:continue, :skip)
 
-      def initialize(claims: nil, user_data: nil)
+      def initialize(claims: nil, user_data: nil, lifetime: nil)
         super()
         @claims = claims
         @user_data = user_data
+        @lifetime = lifetime
       end
 
+      attr_accessor :lifetime
+
       def to_evolve_args
         {
           claims: @claims.dup,
           user_data: @user_data.dup,
+          lifetime: @lifetime&.to_i,
         }
       end
 
@@ -31,7 +35,7 @@ module Himari
       end
 
       def output
-        Himari::SessionData.new(claims: claims, user_data: user_data)
+        Himari::SessionData.make(claims: claims, user_data: user_data, lifetime: lifetime)
       end
 
       def initialize_claims!(claims = {})

data/lib/himari/id_token.rb

@@ -7,15 +7,17 @@ module Himari
   class IdToken
     # @param authz [Himari::AuthorizationCode]
     def self.from_authz(authz, **kwargs)
+      
       new(
         claims: authz.claims,
         client_id: authz.client_id,
         nonce: authz.nonce,
+        lifetime: authz.lifetime.is_a?(Integer) ? authz.lifetime : authz.lifetime.id_token, # compat
         **kwargs
       )
     end
 
-    def initialize(claims:, client_id:, nonce:, signing_key:, issuer:, access_token: nil, time: Time.now)
+    def initialize(claims:, client_id:, nonce:, signing_key:, issuer:, access_token: nil, time: Time.now, lifetime: 3600)
       @claims = claims
       @client_id = client_id
       @nonce = nonce
@@ -23,6 +25,7 @@ module Himari
       @issuer = issuer
       @access_token = access_token
       @time = time
+      @lifetime = lifetime
     end
 
     attr_reader :claims, :nonce, :signing_key
@@ -34,7 +37,7 @@ module Himari
         aud: @client_id,
         iat: @time.to_i,
         nbf: @time.to_i,
-        exp: (@time + 3600).to_i, # TODO: lifetime
+        exp: (@time + @lifetime).to_i,
       ).merge(
         @nonce ? { nonce: @nonce } : {}
       ).merge(

data/lib/himari/lifetime_value.rb

@@ -0,0 +1,15 @@
+module Himari
+  LifetimeValue = Struct.new(:access_token, :id_token, :code, keyword_init: true) do
+    def self.from_integer(i)
+      new(access_token: i, id_token: i, code: nil)
+    end
+
+    def as_log
+      as_json&.compact
+    end
+
+    def as_json
+      {access_token: access_token, id_token: id_token, code: code}
+    end
+  end
+end

data/lib/himari/rule_processor.rb

@@ -2,7 +2,7 @@ module Himari
   class RuleProcessor
     class MissingDecisionError < StandardError; end
 
-    Result = Struct.new(:rule_name, :allowed, :explicit_deny, :decision, :decision_log, keyword_init: true) do
+    Result = Struct.new(:rule_name, :allowed, :explicit_deny, :decision, :decision_log, :user_facing_message, :suggestion, keyword_init: true) do
       def as_log
         {
           rule_name: rule_name,
@@ -10,7 +10,9 @@ module Himari
           explicit_deny: explicit_deny,
           decision: decision&.as_log,
           decision_log: decision_log.map(&:to_h),
-        }
+        }.tap do |x|
+          x[:suggestion] = suggestion if suggestion
+        end
       end
     end
 
@@ -47,6 +49,7 @@ module Himari
         result.decision = decision
         result.allowed = true
         result.explicit_deny = false
+        result.user_facing_message = decision.effect_user_facing_message
 
       when :continue
         @decision = decision
@@ -61,6 +64,8 @@ module Himari
         result.decision = nil
         result.allowed = false
         result.explicit_deny = true
+        result.user_facing_message = decision.effect_user_facing_message
+        result.suggestion = decision.effect_suggestion
 
       else
         raise "Unknown effect #{decision.effect} [BUG]"

data/lib/himari/services/downstream_authorization.rb

@@ -21,7 +21,7 @@ module Himari
         end
       end
 
-      Result = Struct.new(:client, :claims, :authz_result) do
+      Result = Struct.new(:client, :claims, :lifetime, :authz_result) do
         def as_log
           {
             client: client.as_log,
@@ -63,10 +63,11 @@ module Himari
         context = Himari::Decisions::Authorization::Context.new(claims: @session.claims, user_data: @session.user_data, request: @request, client: @client).freeze
 
         authorization = Himari::RuleProcessor.new(context, Himari::Decisions::Authorization.new(claims: @session.claims.dup)).run(@authz_rules)
-        raise ForbiddenError.new(Result.new(@client, nil, authorization)) unless authorization.allowed
+        raise ForbiddenError.new(Result.new(@client, nil, nil, authorization)) unless authorization.allowed
 
-        claims = authorization.decision.output
-        Result.new(@client, claims, authorization)
+        claims = authorization.decision.output_claims
+        lifetime = authorization.decision.lifetime
+        Result.new(@client, claims, lifetime, authorization)
       end
     end
   end

data/lib/himari/services/oidc_authorization_endpoint.rb

@@ -5,6 +5,8 @@ require 'openid_connect'
 module Himari
   module Services
     class OidcAuthorizationEndpoint
+      class ReauthenticationRequired < StandardError; end
+
       SUPPORTED_RESPONSE_TYPES = ['code'] # TODO: share with oidc metadata
 
       # @param authz [Himari::AuthorizationCode] pending (unpersisted) authz data
@@ -39,6 +41,8 @@ module Himari
 
           req.unsupported_response_type! if res.protocol_params_location == :fragment
           req.bad_request!(:request_uri_not_supported, "Request Object is not implemented") if req.request_uri || req.request
+          req.bad_request!(:invalid_request, 'prompt=none should not contain any other value') if req.prompt.include?('none') && req.prompt.any? { |x| x != 'none' }
+          raise ReauthenticationRequired if req.prompt.include?('login') || req.prompt.include?('select_account')
 
           requested_response_types = [*req.response_type]
           unless SUPPORTED_RESPONSE_TYPES.include?(requested_response_types.map(&:to_s).join(' '))

data/lib/himari/services/oidc_userinfo_endpoint.rb

@@ -1,4 +1,5 @@
 require 'himari/access_token'
+require 'himari/token_string'
 require 'himari/log_line'
 
 module Himari
@@ -33,9 +34,9 @@ module Himari
           return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless %w(GET POST).include?(@env['REQUEST_METHOD'])
 
           raise InvalidToken unless given_token
-          given_parsed_token = Himari::AccessToken::Format.parse(given_token)
+          given_parsed_token = Himari::AccessToken.parse(given_token)
 
-          token = @storage.find_token(given_parsed_token.handler)
+          token = @storage.find_token(given_parsed_token.handle)
           raise InvalidToken unless token
           token.verify_expiry!()
           token.verify_secret!(given_parsed_token.secret)
@@ -46,7 +47,7 @@ module Himari
             {'Content-Type' => 'application/json; charset=utf-8'},
             [JSON.pretty_generate(token.claims), "\n"],
           ]
-        rescue InvalidToken, Himari::AccessToken::SecretIncorrect, Himari::AccessToken::InvalidFormat, Himari::AccessToken::TokenExpired => e
+        rescue InvalidToken, Himari::TokenString::SecretIncorrect, Himari::TokenString::InvalidFormat, Himari::TokenString::TokenExpired => e
           @logger&.warn(Himari::LogLine.new('OidcUserinfoEndpoint: invalid_token', req: @env['himari.request_as_log'], err: e.class.inspect, token: token&.as_log))
           [
             401,

data/lib/himari/services/upstream_authentication.rb

@@ -27,7 +27,7 @@ module Himari
       Result = Struct.new(:claims_result, :authn_result, :session_data) do
         def as_log
           {
-            claims: session_data&.claims,
+            session: session_data&.as_log,
             decision: {
               claims: claims_result&.as_log&.reject{ |k,_v| %i(allowed explicit_deny).include?(k) },
               authentication: authn_result&.as_log,

data/lib/himari/session_data.rb

@@ -1,7 +1,46 @@
+require 'himari/token_string'
+
 module Himari
-  SessionData = Struct.new(:claims, :user_data, keyword_init: true) do
+  class SessionData
+    include Himari::TokenString
+
+    def initialize(claims: {}, user_data: {}, handle:, secret: nil, secret_hash: nil, expiry: nil)
+      @claims = claims
+      @user_data = user_data
+
+      @handle = handle
+      @secret = secret
+      @secret_hash = secret_hash
+      @expiry = expiry
+    end
+
+    def self.magic_header
+      'hmas'
+    end
+
+    def self.default_lifetime
+      3600
+    end
+
+    attr_reader :claims, :user_data
+
     def as_log
-      {claims: claims}
+      {
+        handle: handle,
+        claims: claims,
+        expiry: expiry,
+      }
+    end
+
+    def as_json
+      {
+        handle: handle,
+        secret_hash: secret_hash,
+        expiry: expiry,
+
+        claims: claims,
+        user_data: user_data,
+      }
     end
   end
 end

data/lib/himari/storages/base.rb

@@ -1,5 +1,6 @@
 require 'himari/authorization_code'
 require 'himari/access_token'
+require 'himari/session_data'
 
 module Himari
   module Storages
@@ -23,23 +24,40 @@ module Himari
         delete('authz', code)
       end
 
-      def find_token(handler)
-        content = read('token', handler)
+      def find_token(handle)
+        content = read('token', handle)
+        content[:handle] = content.delete(:handle) if content.key?(:handler) # compat
         content && AccessToken.new(**content)
       end
 
       def put_token(token, overwrite: false)
-        write('token', token.handler, token.as_json, overwrite: overwrite)
+        write('token', token.handle, token.as_json, overwrite: overwrite)
       end
 
       def delete_token(token)
-        delete_authorization_by_token(token.handler)
+        delete_authorization_by_token(token.handle)
       end
 
-      def delete_token_by_handler(handler)
-        delete('token', handler)
+      def delete_token_by_handle(handle)
+        delete('token', handle)
       end
 
+      def find_session(handle)
+        content = read('session', handle)
+        content && SessionData.new(**content)
+      end
+
+      def put_session(session, overwrite: false)
+        write('session', session.handle, session.as_json, overwrite: overwrite)
+      end
+
+      def delete_session(session)
+        delete_session_by_handle(session.handle)
+      end
+
+      def delete_session_by_handle(handle)
+        delete('session', handle)
+      end
 
       private def write(kind, key, content, overwrite: false)
         raise NotImplementedError

data/lib/himari/token_string.rb

@@ -0,0 +1,96 @@
+require 'securerandom'
+require 'base64'
+require 'digest/sha2'
+require 'rack/utils'
+
+module Himari
+  module TokenString
+    class Error < StandardError; end
+    class SecretMissing < Error; end
+    class SecretIncorrect < Error; end
+    class TokenExpired < Error; end
+    class InvalidFormat < Error; end
+
+    module ClassMethods
+      def magic_header
+        raise NotImplementedError
+      end
+
+      def default_lifetime
+        raise NotImplementedError
+      end
+
+      def make(lifetime: nil, **kwargs)
+        new(
+          handle: SecureRandom.urlsafe_base64(32),
+          secret: SecureRandom.urlsafe_base64(48),
+          expiry: Time.now.to_i + (lifetime || default_lifetime),
+          **kwargs
+        )
+      end
+
+      def parse(str)
+        Format.parse(magic_header, str)
+      end
+    end
+
+    def self.included(k)
+      k.extend(ClassMethods)
+    end
+
+    def handle
+      @handle
+    end
+
+    def expiry
+      @expiry
+    end
+
+    def secret
+      raise SecretMissing unless @secret
+      @secret
+    end
+
+    def secret_hash
+      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+    end
+
+    def verify!(secret:, now: Time.now)
+      verify_expiry!(now)
+      verify_secret!(secret)
+    end
+
+    def verify_secret!(given_secret)
+      dgst = Base64.urlsafe_decode64(secret_hash) # TODO: rescue errors
+      given_dgst = Digest::SHA384.digest(given_secret)
+      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
+      @secret = given_secret
+      true
+    end
+
+    def verify_expiry!(now = Time.now)
+      raise TokenExpired if @expiry <= now.to_i
+    end
+
+    Format = Struct.new(:header, :handle, :secret, keyword_init: true) do
+      def self.parse(header, str)
+        parts = str.split('.')
+        raise InvalidFormat unless parts.size == 3
+        raise InvalidFormat unless parts[0] == header
+        new(header: header, handle: parts[1], secret: parts[2])
+      end
+
+      def to_s
+        "#{header}.#{handle}.#{secret}"
+      end
+    end
+
+    def magic_header
+      self.class.magic_header
+    end
+
+    def format
+      Format.new(header: magic_header, handle: handle, secret: secret)
+    end
+  end
+end

data/lib/himari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Himari
-  VERSION = "0.2.0"
+  VERSION = "0.4.0"
 end

data/public/public/index.css

@@ -1,5 +1,7 @@
-body {
+body, button, select {
   font-family: "Segoe UI", Helvetica, sans-serif;
+}
+body {
   font-size: 16px;
   background-color: #FDF7EF;
   text-align: center;
@@ -58,6 +60,19 @@ main > header img, main > footer img {
   margin-top: 30px;
 }
 
+.notice {
+  background-color: white;
+  border: 1px #bfa88a solid;
+  border-radius: 4px;
+  padding: 4px;
+  margin: 12px;
+  margin-bottom: 24px;
+}
+
+footer, footer a, footer a:visited {
+  color: #5e5e6b;
+}
+
 .d-none {
   display: none;
 }

data/views/login.erb

@@ -16,6 +16,12 @@
       <header>
         <h1><%= msg(:title, "Login to Himari") %></h1>
         <%= msg(:header) %>
+
+        <% if @notice %>
+          <div class='notice'>
+            <p><%=h @notice %></p>
+          </div>
+        <% end %>
       </header>
 
       <nav class='actions'>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: himari
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-21 00:00:00.000000000 Z
+date: 2023-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -117,6 +117,7 @@ files:
 - lib/himari/id_token.rb
 - lib/himari/item_provider.rb
 - lib/himari/item_providers/static.rb
+- lib/himari/lifetime_value.rb
 - lib/himari/log_line.rb
 - lib/himari/middlewares/authentication_rule.rb
 - lib/himari/middlewares/authorization_rule.rb
@@ -139,6 +140,7 @@ files:
 - lib/himari/storages/base.rb
 - lib/himari/storages/filesystem.rb
 - lib/himari/storages/memory.rb
+- lib/himari/token_string.rb
 - lib/himari/version.rb
 - public/public/index.css
 - sig/himari.rbs